Package: backup-manager Version: 0.7.5-3 Severity: critical Tags: security Justification: root security hole
Hi, I just discovered that backup-manager disclosures the FTP password during a running FTP upload in the process list. A user which has shell access on the computer simply needs to run the command ps wax | grep backup-manager to get the FTP username, hostname and password. The output is something like (I replaced here the sensitive data by FTPHOST, FTPUSER and FTPPASS): 3796 pts/1 SN+ 0:00 /bin/bash /usr/sbin/backup-manager -v 12647 pts/1 RN+ 0:47 /usr/bin/perl /usr/bin/backup-manager-upload -v --ftp-purge -m=ftp -h=FTPHOST -u=FTPUSER -p=FTPPASS ... With these data the attacking user is able to login into the same FTP space where the archives created by backup-manager are uploaded to. So the attacking user is also able to simply download these archive and extract them as a normal user -- with full access on all included files, even on those originally accessible by root only. :-( Have a nice day Micha -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-4-k7 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages backup-manager depends on: ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy ii findutils 4.2.28-1 utilities for finding files--find, ii gzip 1.3.5-15 The GNU compression utility ii ucf 2.0020 Update Configuration File: preserv backup-manager recommends no packages. -- debconf information excluded -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]